The Upstream router needs to send a packet to the Destination IP address 1.1.1.2. It will send an ARP Request for the IP address 1.1.1.2. If Proxy ARP is not configured on the SRX, the SRX will not reply to the ARP Request as it does not have the IP address configured on the interface ge-0/0/0.0. The ARP request will timeout and the packet will be dropped at the Upstream router. However, if Proxy ARP is configured for interface ge-0/0/0.0 for the IP 1.1.1.2, then when the Upstream router sends a ARP Request out for the IP address 1.1.1.2, the SRX will respond to the ARP Request. Then the Upstream router will be able to send the packet to the Destination IP address 1.1.1.2 (and the MAC address of the SRX).

How to check if Proxy ARP is enabled

Run the following configuration mode command:

root# show security nat proxy-arp

Below is an example of a Proxy ARP configuration. (If nothing is returned with the above command, then Proxy ARP is not configured.)

root# show security nat proxy-arpinterface ge-0/0/0.0 { ## The interface where the proxy-arp is configured address { 2.2.2.3/32; ## The 2 IPs where the packet will be destined 2.2.2.4/32; }

Other Example:

The Destination NAT example is same as the Static NAT example above.

Below is a Source NAT example. This is how to configure Proxy-ARP when the Source NAT is configured for an IP which is not the External interface IP, but in the same network as that of External Interface IP.

In this example, Source NAT is configured with an IP pool (1.1.1.3/32 - 1.1.1.4/32), which is on the same subnet as the SRX interface (1.1.1.1/24).

The Client requires their IP address 192.168.5.12 to be translated to 1.1.1.3/32 or 1.1.1.4/32 (from the Source NAT Pool).

In this case, Proxy-ARP needs to be configured for the interface ge-0/0/0.0, mapping the interface MAC to the IP address 1.1.1.3 and 1.1.1.4: